This topic describes how to grant permissions across Alibaba Cloud accounts to view resources in Function Compute by using the Resource Access Management (RAM) console or using an SDK to obtain a Security Token Service (STS) token.

Examples

Enterprise A has activated Function Compute and requires Enterprise B to manage Function Compute resources. Enterprise A has the following requirements:
  • Enterprise A can focus on its business systems and act only as the owner of Function Compute. In addition, Enterprise A can authorize Enterprise B to manage specified resources, such as creating services and functions.
  • If an employee joins or leaves Enterprise B, Enterprise A does not need to change permissions. Enterprise B can grant its RAM users fine-grained permissions on resources of Enterprise A.
  • If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions that are granted to Enterprise B.

Use the RAM console

For example, Enterprise A needs to authorize employees of Enterprise B to access all services in Function Compute. Enterprise A has an Alibaba Cloud account named Account A, and Enterprise B has an Alibaba Cloud account named Account B.
  • The ID of Account A is 123456789012****, and the account alias is company-a.
  • The ID of Account B is 134567890123****, and the account alias is company-b.

Step 1: Create a RAM role by using Account A

Use Account A to create a RAM role, grant the required permissions to the RAM role, and then authorize Account B to assume this role. In this case, you must enter Account B in the Other Alibaba Cloud Account field.

  1. Use Account A to log on to the RAM console.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role pane, set the Trusted Entity Type parameter to Alibaba Cloud Account, and then click Next.
  5. Configure the RAM role.
    1. Specify RAM Role Name.
    2. Optional:Specify Note.
    3. Select Current Alibaba Cloud Account or Other Alibaba Cloud Account.
      • Current Alibaba Cloud Account: If you want a RAM user that belongs to your Alibaba Cloud account to assume the RAM role, select Current Alibaba Cloud Account.
      • Other Alibaba Cloud Account: If you want a RAM user that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account. This option is provided to authorize different Alibaba Cloud accounts.
        Note You can view the ID of an Alibaba Cloud account on the Security Settings page.
  6. Select Current Alibaba Cloud Account in the Select Trusted Alibaba Cloud Account field and click OK.
    Note If you select Other Alibaba Cloud Account, you must enter the ID of the Alibaba Cloud account.
  7. Click Close.
  8. Use Account A to attach the AliyunFCReadOnlyAccess policy to the created RAM role. For more information about how to grant permissions to a RAM role, see Grant permissions to a RAM role.
After the RAM role is created, you can view the Alibaba Cloud Resource Name (ARN) and trust policy about the RAM role in the Basic Information section on the details page of the RAM role.
  • In this example, the ARN of the RAM role is acs:ram::123456789012****:role/fc-admin.
  • The following script shows the trust policy of the RAM role:
    Note This policy indicates that only RAM users that belong to Account B can assume the RAM role.
    {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "RAM": [
              "acs:ram::134567890123****:root"
            ]
          }
        }
      ],
      "Version": "1"
    }

Step 2: Use Account B to create RAM users

  1. Use Account B to create RAM users for employees of enterprise B. For more information about how to create a RAM user, see Create a RAM user.
  2. Use Account B to attach the AliyunSTSAssumeRoleAccess policy to the RAM user. Then, the RAM user can assume the RAM role. For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.

Step 3: Switch the identity for logon

If the RAM user that belongs to Account B needs to access resources within Account A, Account B can be used to grant the required permissions to the RAM user. The RAM user that belongs to Account B assumes the RAM role within Account A to access the resources within Account A. Perform the following steps:

  1. Use the RAM user that belongs to Account B to log on to the RAM console.
    For more information about how to log on to the console as a RAM user, see t162242.html#task_2170094.
  2. Move the pointer over the profile picture in the upper-right corner of the console and click Switch Identity.
    1. Enter the enterprise alias (account alias), default domain name, or ID of the Alibaba Cloud account to which the RAM role belongs. For more information, see View and modify the default domain name.
    2. Enter the name of the RAM role. For more information, see View the basic information about a RAM role.
    For more information, see Assume a RAM role.

(Optional) Revoke the granted permissions

If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions granted to Account B. Then, all RAM users that belong to Account B no longer have the permissions of the RAM role. Perform the following steps:

  1. Use Account A to log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user that you want to delete and click Delete in the Actions column.
  4. In the Delete User message, click I fully understand the risks and confirm the deletion.
Note Before you delete the RAM role, you must detach the policies that are attached to the RAM role. For more information, see Remove permissions from a RAM role.

Use an SDK

You can use STS to authorize temporary access to Function Compute. STS is a web service that provides STS tokens for cloud computing users. The following example shows how Account B obtains the permissions to view all services in Account A.

Prerequisites

Create a function

Procedure

  1. Use Account A to create a RAM role and select Account B as the trusted account.
  2. Use Account B to create RAM users and authorize RAM users to assume the RAM role.
    For more information, see Create a RAM user and Grant permissions to a RAM user.
  3. In the function of Account B, enter the following sample code to obtain a temporary access credential. For more information, see STS SDK overview and AssumeRole.
    const Core = require('@alicloud/pop-core');
     
     // Construct an Alibaba Cloud client that is used to initiate requests. 
     // Specify the AccessKey ID and AccessKey secret of the requester. 
     var client = new Core({
       accessKeyId: '<accessKeyId>',
       accessKeySecret: '<accessSecret>',
       endpoint: 'https://sts.aliyuncs.com',
       apiVersion: '2015-04-01'
     });
     
     // Specify the parameters. 
     var params = {
       "RegionId": "cn-hangzhou",
       "RoleArn": "<RoleARN>",
       "RoleSessionName": "<RoleSessionName>"
     }
     
     var requestOption = {
       method: 'POST'
     };
     
     // Initiate the request and obtain a response. 
     client.request('AssumeRole', params, requestOption).then((result) => {
       console.log(JSON.stringify(result));
     }, (ex) => {
       console.log(ex);
     })    
    # coding=utf-8
    # encoding: utf-8
    import json
    from aliyunsdkcore import client as AliyunSDK
    from aliyunsdksts.request.v20150401 import AssumeRoleRequest
    
    # Specify the AccessKey ID and AccessKey secret of the requester. 
    def main():    
        AccessKeySecret='<accessSecret>'
        AccessKeyId='<accessKeyId>'
        regionId ='cn-hangzhou'
    
        sts_client = AliyunSDK.AcsClient(
                AccessKeyId,
                AccessKeySecret,
                regionId)
        request = AssumeRoleRequest.AssumeRoleRequest()
        request.set_RoleArn("<RoleARN>")
        request.set_RoleSessionName('fc-python-sdk')
        response = sts_client.do_action_with_exception(request)
        response_json = json.loads(response)
        result = json.dumps(response_json['Credentials'])
        print(result)
    
    if __name__ == "__main__":
        main()

    The following sample code shows the expected output:

    {
      "RequestId": "964E0EC5-575B-4FF5-8FD0-D4BD8025602A",
      "AssumedRoleUser": {
        "Arn": "acs:ram::****:role/wss/wss",
        "AssumedRoleId": "***********:wss"
      },
      "Credentials": {
        "SecurityToken": "*************",
        "AccessKeyId": "STS.*************",
        "AccessKeySecret": "*************",
        "Expiration": "2021-05-28T11:23:19Z"
      }
    }
    Note For information about common questions that you may encounter when you obtain the STS token, see FAQ about RAM roles and STS tokens.
  4. Modify the function code of Account B to authorize the RAM user that belongs to Account B to view all services in Function Compute within Account A.
    Example:
    const FC = require('@alicloud/fc2');
    // Construct a client. 
    // Use the obtained temporary key. 
    const client = new FC(<accountID>, {
        region: <yourRegionID>,
        accessKeyID: <yourAccessKeyID>,
        securityToken: <yourSecurityToken>,
        accessKeySecret: <yourAccessKeySecret>
    });
    // Query services. 
    client.listServices().then(res => {
        console.log(JSON.stringify(res, null, ' '))
    }).catch(ex=> console.log(ex))
    Important Make sure that the role created by Account A that is authorized to use the temporary key has the permissions to obtain the service list.